Recent large-scale security breaches have highlighted a new class of threat to digital networks. Advanced Persistent Threats (APTs) have made global headlines, to the dismay of many enterprises. The most recent episode was at the Central Bank of Bangladesh, from where hackers stole millions. It is evident that the bank did not have the right protocols in place. The Central Bank of Nepal, Nepal Rastra Bank, and even commercial banks can learn an important lesson from this incident, especially on what not to do. Cyber security experts acknowledge such types of attacks are likely. The risk is increasing for all organisations, but banks and financial institutions are at greater risks for a simple reason—that is where the money is.

Following the incident, the Sri Lankan Central Bank made a comment on it that it was a wake-up call. The heist is reverberating around the globe. A Bank of England letter made public after a Freedom of Information request further underscored the global nature of the risk, with the UK’s central bank saying it faced “advanced, persistent” cyber threats. Immediately in India, a high-level government official communicated the security establishment’s concerns to the Reserve Bank of India, urging for more caution.

Nepal lacks adequate cybercrime legislation and appears to have neglected the vulnerabilities of cyber technology. The push towards government cloud systems, a supply-led approach to IT investment in Nepal, is even more dangerous given the fact that managing even the current physical network continues to remain a challenge. One cannot expect to increase the demand side of Information Technology when the supply side is heavy and the control part, which balances the demand side business activities, is non-existent. Lack of controls leads to business failures and this is exactly what was exploited in the case of the Central Bank of Bangladesh. However, there is evidence that some of the commercial banks in Nepal have heightened their security posture after this incident, which is an encouraging sign.

There has been a tenfold rise in internet access in Nepal, but the level of connectivity is still so low as to hamper the establishment of a digital economy, especially beyond the capital and metropolitan cities. Although steps have been taken to facilitate dialogue between the government and the private sector, the effectiveness of that interaction is yet to be seen. There is an increasing social awareness of cyber issues, although the discussion mostly highlights concerns about the abuse of legislative power and lack of transparency in decision making.

Risk mitigation

It is important to acknowledge that Nepal does not have a consistent legal framework for cybersecurity, cyber policy and cybercrime. There is an Electronic Transaction Act (2006); however, it lacks currency with respect to rapid development in the area of cyber security. There is a provision of a legal tribunal to handle cyber related cases, but the legal structure is yet to be formalised.  It is relatively unclear as to which government entity or department is supposed to drive this important agenda forward.  Information Technology Security Emergency Response Team, Nepal (ITSERT-NP), a forum for ICT security professionals, entrepreneurs and organisations in Nepal, is the only entity that has been active since 2015 in areas of cyber security and in raising awareness of such issues from a technical perspective. However, it does not appear to have robust response capabilities or the ability to retain staff needed to improve them.

Traditionally considered as nation-state-sponsored activities aimed at government networks, cyber threats have also become problematic for private enterprises. Google, NASA, RSA and several governments have experienced large security breaches due to APTs, demonstrating that APTs effectively target both private enterprises and government networks. Because there are multiple opinions on what constitutes an APT, establishing a clear definition is difficult.  Stealth, adaptability and persistence characterise this class of threat. For example, whereas traditional cyber threats often try to exploit vulnerability but move right on to something less secure if they cannot penetrate their initial target, APTs do not stop. The people and groups behind APT attacks are resolute and have the resources to mount attacks on enterprises, making it hard to defend against them. Often email filters are not effective enough, and it takes only a single user to click a link and open an attachment for an APT to begin implementing its first phase of attack.

Way forward

First, it is important to take threats seriously.  Undoubtedly, they are coming. Any risk assessment programme starts from the acknowledgement of risk. Since there are few opportunities for engagement on cyber issues, any intervention will require dedicated efforts to engage the government and the private sector. The lack of demonstrated government interest in developing technical capabilities is severely limiting our ability to handle cybercrime. 

It is equally important for the businesses to think of cyber risks as business-related risks and not merely IT-related risks. The Central Bank needs to revisit its model for IT governance and establish an IT risk committee in the same line as audit and credit risk committees. History has shown several times that financial fraud takes place when a single person is given the authority to create business value and manage business risk at the same time.

Increasing awareness, capability and response mechanism for law enforcement agencies is a must.  How effectively a country combats financial cybercrime will directly affect business confidence in the country. Without a reliable and safe online environment, companies are unlikely to invest.

It is important to understand that cyber security is no longer an IT issue, and one cannot get away from it by saying “I am not a technical person”. It is an intrinsic part of the digital economy and if Nepal wishes to be a part of it, it must address the challenges effectively.

Rana is an IT assurance, governance and risk management professional